1

I basically want to do what is explained in this serverfault question, so I want a group of people ("admins") be able to login in to many hidden servers with ssh using a jumpbox which stores the private keys for the hidden servers.

As updating the authorized_keys on the hidden servers is rather expensive, I only want to control access to them by modifying the jumpbox, i.e. add or remove "admins" by changing the authorized_keys file on the jumpbox.

What I especially do not want is to leak the private keys stored on the jumpbox to the admins, so the ssh-agent+ProxyCommand approach mentioned in the linked question's answers won't work because the agent would send the private keys from the jumpbox to the "admins", if I understand that right.

On the contrary, simply doing

ssh -tt jumpbox ssh hidden_server_1

has the drawback that "admins" can't use scp and port forwarding easily.

NB: Shell access to the jumpbox shall be disabled for "admins" by using a custom script as login shell that only allows the necessary commands.

Is there any secure & convenient way to keep the comfort of scp and port forwarding without weakening the security constraints?

Thank you very much for your help!

Community
  • 1
steiny
  • 173
  • 2
  • 8
  • 1
    This [Q&A](http://serverfault.com/q/639052/37681) may address some of your concerns, but with your requirements I would look into replacing your SSH jump box with a VPN server, and fix your configuration management so that updating the authorized_keys on the hidden servers is no longer expensive to do. – HBruijn Jul 07 '16 at 09:33

1 Answers1

3

It is not possible to "use" a private key without being able to read - and thus copy - that private key. So the idea that your admins can login to the jumpbox, then go onwards using a private key that they cannot directly access, is not going to fly.

But you can arrange things so that the private keys can only be used from the jumpbox (see man sshd, from= in AUTHORIZED_KEYS FILE FORMAT). Then, denying a given admin access to the jumpbox leaves him or her with keys that are of no further use.

Does that satisfy your security constraints?

Note that you write as if all remote admins were accessing a shared account on the jumpbox. If it were my system, I wouldn't do that; I'd have each remote admin have an individual account on the jumpbox, all such accounts having access to - or copies of - the relevant captive onward keypair. That makes revoking an individual admin's access to the jumpbox much easier and more reliable.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • Indeed I thought about using only one admin user that all admins have access to and then make the `authorized_keys` root-owned. This would have required a complex user setup only once. But I guess it's probably the best to use your proposed "from" directive combined with the answer linked in the comment to the question. Then it is also easily possible to create one user account for each admin. – steiny Jul 08 '16 at 08:21
  • You can make a file `use` only with sudo, just only give the user permission to run the use command like sshd and give the file the permissions for root only (or some other account) – Ferrybig Jun 04 '17 at 12:37